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Abstract 

A study was performed to evaluate the reliabil- 
ity of Integrated Modular Engine (IME) concepts. Com- 
parisons were made between networked IME systems 
and non-networked discrete systems using expander 
cycle configurations. Both redundant and nonredundant 
systems were analyzed. Binomial approximation and 
Markov analysis techniques were employed to evaluate 
total system reliability. In addition, Failure Modes and 
Effects Analyses (FMEA), Preliminary Hazard Analy- 
ses (PHA), and Fault Tree Analysis (FTA) were per- 
formed to allow detailed evaluation of the IME concept. 
A discussion of these system reliability concepts is also 
presented. 

Introduction 

Integrated Modular Engine (IME) designs are 
currently being considered for use in various space pro- 
pulsion applications. 1 ' 4 Conventional nonnetworked, or 
discrete, engines are designed such that each engine sys- 
tem is a standalone unit. In the discrete system, if a tur- 
bopump fails the corresponding thrust chamber must 
also be shut down. In the networked, or modular, engine 
concept, however, all turbopump assemblies and thrust 
chamber assemblies are joined by common manifolds. 

In this system, therefore, a turbopump or thrust chamber 
could be shut down independently should a failure occur 
in either component. Therefore, the IME offers poten- 
tial advantages of increased fault tolerance and reliabil- 
ity when compared to discrete systems. The purpose of 
this report is to evaluate and compare the reliability of 
the IME and the discrete engine systems, to determine 
the reliability drivers of the IME, and to conduct a sensi- 
tivity study of the effects of component failures on sys- 
tem reliability of the IME. 

Both quantitative and qualitative techniques 
were used to evaluate the IME reliability. The quantita- 
tive analyses consisted of binomial and Markov analy- 
ses. A binomial approximation technique was employed 
to characterize the reliability of the system based on 


component shutdown probabilities. Markov techniques 
were also used to evaluate the effects of engine burn 
duration on system reliability based on component fail- 
ure rates. Because of the large uncertainty in the avail- 
able component reliability data, the emphasis of the 
binomial approximation and Markov analyses was to 
conduct relative comparisons between modular and dis- 
crete systems, rather than to obtain absolute failure data. 
The qualitative techniques included Failure Modes and 
Effects Analyses (FMEA), Preliminary Hazard Analy- 
ses (PHA), and Fault Tree Analyses (FTA). An FMEA 
was conducted for the IME to determine the effects of 
single-point failures on the system. A PHA was used to 
identify potential hazards associated with the operation 
of the IME. Finally, an FTA was prepared to assist in the 
characterization of system-wide failures. 


An Integrated Modular Engine system sche- 
matic is provided in Fig. L This design is based on a 
NASA Lewis Research Center effort to examine the 
IME concept and to determine methods of physically 
assembling such a system 5 . In this IME design an 
expander cycle configuration was used. As a baseline, 
eight thrust chamber assemblies are connected with four 
fuel and four oxygen turbopump assemblies. Five mani- 
folds are required in this design to connect the thrust 
chambers and the turbopumps. Shutoff valves are used 
to isolate the pumps, turbines, and the thrust chambers 
in the event of a degradation of any of these compo- 
nents. The required number of valves for the IME is 66, 
with 4 valves for each thrust chamber, fuel turbopump 
and oxidizer turbopump, plus 2 turbine bypass valves. 
Details of this IME design are provided in reference 5. 
By comparison, a discrete system, shown in Fig. 2, has 
no manifolds and 4 valves for each engine for a total of 
32 valves. 

Analysis Techniques and Resu lts 
Several quantitative and qualitative techniques 
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were used to evaluate the reliability of the IME, includ- 
ing binomial approximation, Markov analysis, FMEA, 
PH A, and fault trees. A description of each process is 
included, and results for the above system configuration 
are provided for each of the techniques. 

Binomial A pproximation 

In the binomial approximation technique, also 
known as the *-out-of-N modeling technique, it is 
assumed that k components out of a total of A compo- 
nents must operate for the entire system to perform suc- 
cessfully. Therefore, the technique applies only to cases 
where redundancy is used. The following equation is 
used in the binomial approximation analysis of redun- 
dant systems: 6 
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To analyze the IME system with redundancy, 
the reliability of each subsystem (fuel pump, oxidizer 
pump, fuel turbine, oxidizer turbine, thrust chamber) 
was obtained by multiplying the reliabilities of the com- 
ponents in each redundant subsystem (components in 
series). The total subsystem reliability was then 
obtained by using the binomial equation for the parallel 
subsystems. For instance, for the fuel turbopumps, k — 3 
and N =4 for the baseline case. The total system reliabil- 
ity was then obtained by multiplying the total subsystem 
reliabilities. For the discrete system the reliability of 
each engine was obtained by multiplying the reliabilities 
of each component. The binomial approximation was 
then used to obtain total system reliability (k = 7, W = 8 
for the baseline case) for the parallel engine systems. 

For the cases without redundancy, the part reli- 
abilities can be multiplied to obtain a total system reli- 
ability, Re Tokt i. The total system failure probability is 
calculated in either case as 1.0 -Prj ota i 

Tables I and II provide lists of components and 
their estimated failure rates for the IME and discrete 
systems, respectively. The failure rate is defined as the 
number of failures per 1000 firings (fir) for the binomial 


analysis. With the exception of the manifold estimates, 
these failure rates were obtained from reference 4, 
where the Pratt & Whitney Rocket Engine Reliability 
Database was used. This database takes into account 
historical engine failures based on flight data. Because 
of the limited amount of data available, a high degree of 
uncertainty associated with the failure rates can be 
expected. However, the use of the data does allow for 
relative comparisons between IME and discrete systems. 
The manifold failure rates are based on information 
from hydrogen and oxygen ducting. Again, a high 
degree of uncertainty is associated with these manifold 
failure rates. A sensitivity analysis was performed on the 
valve and manifold shutdown rates to determine the 
effects of these parameters on overall system reliabil- 
ity. Several key assumptions were used to formulate the 
analysis using the binomial distribution: 

1. No partial failures are allowed; the only condi- 
tions are success and failure. The components 
are not repairable. 

2. Only active redundancy is considered (i.e., all 
components are operating prior to the failure of 
any component). 

3. No operating range concerns were included in 
the analysis (i.e., if one IME turbopump fails, it 
is assumed that the remaining turbopumps can 
meet the power requirement with no change in 
their reliability). Therefore, the failure rates 
were constant and independent of the number of 
components functioning. 

4. The health monitoring system can identify and 
respond to a problem 100 percent of the time. 

5. No common cause failures were included. 

6. Sensor and controller reliabilities were not 
included in the analysis. 

7. If a turbine (pump) failed on either the oxygen 
or hydrogen circuit the corresponding pump 
(turbine) would be deactivated. 

8. Loss of a turbine bypass valve will lead to IME 
system loss (bypass simultaneously affects all 
turbines and adverse effects cannot be miti- 
gated). 

The binomial analysis was performed over a 
range of 2 to 12 thrusters. For the IME the number of 
turbopump assemblies was half the number of thrust 
chamber assemblies in each case. In addition, in the 
cases without redundancy the IME design did not 
include the isolation and check valves for the turboma- 
chinery or for the nozzle coolant channel. These isola- 
tion and check valves would only be required for 
component isolation after failure; in the case without 
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redundancy any component failure will cause total sys- 
tem failure and isolation would not be not necessary. 

The results of the binomial approximation 
analysis are shown in Figs. 3 to 6. Figure 3 compares the 
reliability of the IME with that of the discrete system for 
systems with 2 to 12 thrust chambers and where no 
redundancy is available (i.e., all components must oper- 
ate). From the figure it can be seen that the discrete sys- 
tems showed higher reliabilities than the IME systems 
for cases with less than six thrust chambers. For six 
thrust chambers and higher the IME proved to be more 
reliable than the discrete system. At low numbers of 
thrust chambers the manifold failure probability causes 
the IME system reliability to be reduced in comparison 
to the discrete system. As the number of thrust chambers 
is increased, the turbomachinery becomes a more 
important factor in the total system reliability. Because 
the IME has fewer turbopumps than the discrete system, 
the IME becomes more reliable than the discrete system 
as the number of thrust chambers and turbopump assem- 
blies is increased. 

Figure 4 shows a similar comparison assuming 
that the system has redundancy and can operate with one 
thrust chamber and one turbopump shutdown. In the 
case of the IME, this means that one turbopump and one 
thrust chamber could be shut down and the IME system 
would still meet the system thrust requirement; in the 
discrete system, if either a thrust chamber or turbopump 
was shutdown, one entire engine system could be shut 
down and the system would still meet the thrust require- 
ment. It is apparent from a comparison of Figs. 3 and 4 
that redundancy provides a significant benefit for both 
systems. Redundancy increases reliability by routing 
component failure to other operating components. As 
can be seen by Fig. 4, the discrete system showed higher 
system reliabilities when compared to the IME. The dis- 
crete system showed reliabilities between 0.99998 and 
0.99975 for 4 to 12 thrusters. These reliabilities corre- 
sponded to total system failure rates of 0.02 to 0.25 per 
1000 firings. In contrast, the IME had reliabilities which 
varied from 0.99789 to 0.99773, or failure rates of 2.1 1 
to 2.27 per 1000 firings. Therefore, the system failure 
rates for the IME were approximately one order of mag- 
nitude higher than the discrete system. 

From preliminary reliability studies not 
included in this report it appears that the reliability driv- 
ers are the valves and the manifolds, specifically 
because the turbine bypass valves and the manifolds 
represent the potential for single point failures. There- 
fore, sensitivity studies were performed on the reliabili- 
ties associated with these components. Figure 5 shows 
the effect of valve shutdown rate on system reliability 
for both the discrete and IME systems with eight thrust 
chamber assemblies. The valve failure rate (shutdown 


rate) was varied from 0 to 0.5 per 1000 firings. From the 
figure it can be seen that, even if the valves had a shut- 
down rate of 0 (100 percent reliability), the IME showed 
lower reliabilities than the discrete system. Because the 
turbine bypass valve represents a single point failure 
under the assumptions given previously, the analysis 
was also performed allowing redundancy in the bypass 
valves. Again, the discrete system showed higher reli- 
abilities than the IME, but the reliability of both the dis- 
crete and IME systems did improve with the addition of 
redundancy. It should be noted that, because of the 
uncertainty in whether the loss of turbine bypass valves 
cause system failure, further analyses are required to 
determine the dependence of the system on these valves. 
However, this figure illustrates that, although the valve 
failure rate can affect the total system reliability, the 
valves do not appear to be the reason for reduced IME 
reliability in comparison to the discrete engine system. 

Figure 6 shows the effect of manifold failure 
rate on total system reliability. From the figure it can be 
seen that the discrete engine concept provides higher 
reliabilities when compared to the IME concept except 
when manifold reliability was high and the turbine 
bypass valves were assumed to be redundant. The dis- 
crete system showed no change because no manifolds 
were assumed in this system. Examination of the design 
in Fig. 1 shows that the manifolds represent a single 
point failure, where loss of a manifold results in loss of 
the system. The manifolds would include the connec- 
tions from the component piping (flanges, fasteners, 
etc.) as well as the ducting itself. Therefore, because the 
manifold has been shown to be the key reliability driver, 
it may be necessary to focus future efforts in IME design 
on manifold reliability, including connections, for the 
IME concept to achieve reliabilities similar to that of the 
discrete system. 

The results of the binomial analysis show the 
significant improvement in system reliability derived 
from redundancy. Discrete systems increase reliability 
by isolating failures to the singular unit and reducing 
dependence on shared components, such as manifolds. 
Therefore, based on this analysis, the real reliability 
issue is not redundancy but the actual system design. 

Markov Analysis 

Markov analysis techniques are useful tools in 
the reliability modeling of stochastic systems. ^ To this 
end, a time-homogeneous Markov process with finite 
state space was used to compare the time-dependent 
reliability of IME and discrete engine system designs. 
Recording the degradation of system reliability with 
time proves useful in defining system operation enve- 
lopes based on demanded reliability and component fail- 
ure rates. Furthermore, system reliability can be defined 
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based on component integration and, to some extent, 
mutual component interaction for common cause analy- 
sis. The reliability results of IME and discrete engine 
system design concepts are presented subsequently. The 
initial discussion focuses on briefly introducing the 
Markov technique and assumptions employed. As in the 
binomial analysis, emphasis is centered on system sensi- 
tivity to component failure rates and not on the absolute 
magnitude of these rates. 

The time-homogeneous Markov analysis tech- 
nique determines a system's reliability over time based 
on the system's present operational condition (state). A 
state is defined as a given combination of failed and 
healthy components. A system state space comprises all 
states in which the system can occupy: an assumed ini- 
tial no-failure state (Z 0 ) 9 single or multiple failed com- 
ponent state (Z,) and a final system failed state (Zf). A 
simple Markov state space is diagrammed in Fig. 7. The 
system progresses in time from state Z^, at time f=0, to 
other states within the finite state space. The transition 
probability, Pq, characterizes the likelihood of the sys- 
tem transitioning from any current state Z, to a new 
state, Z y in which a single system component has failed 
during discrete time interval Sr System state transition 
probability is directly proportional to the component 
failure rates and, in general, is only dependent on 5 1 
(time-homogeneous). 

The results of this type of analysis are insight- 
ful. As time progresses during system operation, the 
probability of system failure is determined by the rate at 
which its individual components fail and how their fail- 
ure will impact the system. Increases in system failure 
probability during each successive time interval estab- 
lishes a failure probability distribution. This probability 
distribution documents the temporal increase in system 
failure probability, and its difference from unity at each 
time step defines the system reliability Rt S ys' Similarly, 
the mean time to failure (MTTF S ) (i.e., the expected 
time to system failure) may be determined from the dis- 
tribution. 

Unless noted otherwise, component failure 
rates were from reference 4 and are listed in Tables I and 
II. The components considered in these Markov analy- 
ses were the liquid oxygen turbopumps, liquid hydrogen 
turbopumps, thrust chamber assemblies and the mani- 
folds, and turbine bypass valves. Each component fail- 
ure rate is a composite of the failure rates of 
subassemblies that are considered to comprise the com- 
ponent. Thus, if any one component subassembly fails, 
the component itself failed. 

Finally, some assumptions invoked in this 
Markov analysis follow: 

1. All components are nonrepayable, actively 


redundant, load sharing, and, upon failure, fail 
completely (no partial failures). Load sharing 
implies that component failure rates are propor- 
tional to the load earned by the component. 

2. For the IME design, the manifolds and turbine 
bypass valves were represented as single point 
failures. 

3. When an IME thrust chamber assembly fails, the 

thrust chamber assembly 180° from the failed 
one is immediately shut down in order to main- 
tain thrust balance. Hence, failing one thrust 
chamber assembly results in a net loss of two 
during a state transition. 

4. System failure was assumed to occur when the 
system can no longer provide 100 percent 
thrust. IME system failure was defined as 
greater than one failed liquid oxygen tur- 
bopump assembly, greater than one failed liquid 
hydrogen turbopump assembly, greater than 
four shutdown thrust chamber assemblies (i.e., 
greater than two failed overall), and instanta- 
neous failure with the single-point failures. Dis- 
crete system failure was defined as greater than 
four failed engines. 

Figure 8 graphs the temporal decay of reliabil- 
ity of IME and discrete systems. At all system firing 
times, the discrete engine system had higher reliability 
than the IME system. The IME system demonstrated a 
899-second MTTF S in comparison to the discrete system 
with a 1964-second MTTF S . The reduced mean time to 
system failure of the IME was the result of, in part, sys- 
tem sensitivity of single point failures (manifolds, tur- 
bine bypass valves) and, in part, the intrinsically higher 
dependence of system operation on a smaller number of 
components. Likewise, at a demanded 99 percent reli- 
ability level, the discrete system could operate for 470 
seconds longer than the IME system, from 500 seconds 
(discrete) to 30 seconds (IME). The capability of calcu- 
lating acceptable firing durations based on component 
failure rates and demanded system reliability demon- 
strates the merit of the Markov analysis technique. 

The IME system was found to be vulnerable to 
single point failures by the binomial analysis. Hence, the 
effect of assumed single point failure probability on 
IME system reliability was investigated by assuming 
failure-free (100 percent reliability) manifolds and tur- 
bine bypass valves (TBPVs) using Markov. System reli- 
ability improved as shown in Fig. 9. A dramatic 
improvement of 377 percent was achieved in firing 
duration (30 to 143 seconds) at 99 percent reliability 
when manifold/TBPV reliability is set to 1 .0. Improve- 
ments in system firing time tapered off at lower reliabil- 
ity levels, indicating a decreasing importance of single- 
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point failures with time. This point is expanded further 
subsequently. Note that these increases in firing dura- 
tion, however large, were still less than the predicted fir- 
ing durations of the discrete systems at all reliability 
levels. 

Clearly, total system reliability is dependent on 
each component's failure rate. When a system's sensitiv- 
ity to these rates is established, critical components that 
dictate system reliability are identified for reliability 
enhancement. A constant failure rate (0.0003 failures/ 
second) was imposed on all system components as a 
baseline. Each component's failure rate was then sys- 
tematically doubled, and the resulting system reliability 
was compared with the baseline case. 

With the noted exception of the manifolds/ 
TBPVs at a reliability level greater than 94 percent for 
the IME system, the turbopumps were the most critical 
components in determining reliability for all systems 
(discrete, IME). Figure 10 illustrates the reliability curve 
crossover of the manifold/TBPV with both the tur- 
bopumps and thrust chambers for the IME system. This 
crossover was due to both a faster rise and larger spread 
in the distribution of system failure probability due to 
doubling the manifold/TBPV failure rate. Also, the fail- 
ure of thrust chamber assemblies was more significant 
for a discrete system than an IME system at the 99 per- 
cent reliability level. Firing durations decreased by 25 
percent (247 to 186 seconds) in comparison to 3 percent 
(31 to 30 seconds) for the IME system. The results con- 
firm the obvious fact that increasing component failure 
rates decrease system reliability. 

Finally, the health monitoring system for all 
these analyses was assumed to instantly respond 100 
percent of the time to component failure by shutting off 
and isolating the failed component. However, if an 80 
percent effective health monitoring system assumption 
is used, then 20 percent of all component failures go 
undetected. Invoicing this assumption, the reliability of 
the redundant IME system is instantaneously dimin- 
ished, at each second, by 20 percent of the failures expe- 
rienced by a nonredundant system (ref. 4). This assumes 
that allowing the failed component to operate does not 
cause catastrophic system failure. Figure 1 1 demon- 
strates an 80 percent reliable health monitoring system 
degrading reliability of the IME system. For example, 
system reliability decreased approximately 13 percent 
for a 500-second firing duration. This reliability decline 
increases with increasing firing duration until the system 
fails with 100 percent probability at approximately 1300 
seconds. 

Failure Modes and Effects Analysis 

A Failure Modes and Effects Analysis (FMEA) 


is an inductive technique which provides a method for 
systematically identifying which parts can fail, how they 
fail, and what are the effects of the failures. Once the 
FMEA is completed, a Critical Items List (CIL) is pre- 
pared; the CIL provides a summary of the items which 
represent single point failures to the system. Generally, 
the FMEA is used as a qualitative approach, although 
the method can be used quantitatively by assigning fail- 
ure probabilities for critical items and summing the indi- 
vidual probabilities. The advantages of using an FMEA 
analysis are that single point failures can be identified, 
and hazards can be identified on a piecepart level. The 
disadvantages of the FMEA lie in that, because the con- 
centration is on individual failures of components, com- 
bined effects of coexisting failures (common cause 
failures) are not considered. 

An FMEA was performed on the IME to iden- 
tify component failure modes and their effects on the 
IME. Table III shows an example from this FMEA for 
the Oxidizer Pump Outlet Manifold, which includes the 
ducting and the connections to the manifold. Failure 
modes on manifolds include crack/fatigue failures, con- 
tamination in ducting and seals or sealing surfaces, sea^ 
failure, and fastener torque relaxation. Previous studies 
showed that leakage through flanges from fastener 
torque relaxation could present major problems in flight 
systems. Methods of mitigating this failure mode 
require investigation for the IME because of the large 
number of bolted flanges in this system. One option 
could be to incorporate all-welded connections to 
remove these failure modes; however, this design modi- 
fication would reduce the ability to change out compo- 
nents prior to flight, thus reducing the flexibility of the 
IME. The CIL showed that the ignitor power supply fail- 
ure, manifold failure, and valve actuator failure could be 
single point failures in the IME design. 

Preliminar y Hazard Analysis 

A Preliminary Hazard Analysis (PHA) is a 
qualitative inductive method used to assess the potential 
hazards posed by the system. The PHA is usually pre- 
pared in conjunction with the FMEA. The objectives of 
the PHA are to identify the potential hazards within a 
system and to determine the significance of the potential 
accidents that might result from those hazards. Once 
identified, control measures are developed for each of 
the hazards. These hazard reduction control measures 
are, in the preferred order of application, as follows; 

1 . Design change 

2. Engineered safety devices (e g., redundant backups, 
relief valves, etc.) 

3. Safety devices (e.g., guards, shields, personnel pro- 
tection devices, etc.) 
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4. Warning devices (e.g., alarms, lights, etc.) 

5. Procedures and training 

A PHA allows the qualitative identification of 
both the probability and severity of the risks in the sys- 
tem. Hazard probability and severity values are defined 
in reference 9. However, the technique does not allow 
for identifying common cause failures and does not han- 
dle complex interactions in the system. 

Table IV shows an example page from the PHA 
developed for the IME. The hazard considered here is 
fire or explosion in a manifold from leakage of propel- 
lants or from improper venting and routing of propel- 
lants. Control procedures include hardware safety 
factors, contamination control procedures, and leak 
checks prior to operation. Projectiles also were found to 
present a hazard to the manifold. Impact may cause 
cracking or a surface anomaly leading to a failure and 
the potential for loss of chambers or turbopumps. Con- 
trol procedures for projectiles are similar to those 
described for the fire/explosion hazard. 

Fault Tree Analysis 

A Fault Tree Analysis (FTA) is a deductive 
failure analysis technique which identifies one top event 
and provides a method for determining the causes of that 
event. 10 This approach differs significantly from those 
discussed previously in that the analyst postulates that 
the system has failed in some way and then attempts to 
determine all credible ways in which the undesired 
event can occur. The fault tree is a graphical model of 
the sequences of faults and failures that lead to the 
undesired event. Therefore, the fault tree represents the 
logical relationship between some basic events and the 
top event. The fault tree is a qualitative model of the 
events leading to failure which can be evaluated quanti- 
tatively. The quantitative evaluation of fault trees forms 
one of the core techniques in the probabilistic risk 
assessment (PRA) of nuclear power plants. 

Fault trees are especially attractive for large, 
complex systems such as the Integrated Modular Engine 
because of the following: 

1. The pictorial display of the system provides 
insights into the failure consequence chains. 

2. The relative effects of contributing factors to 
failure of the system can be identified quantita- 
tively, 

3. The weak points in the system can be quantita- 
tively identified. 

4. The vulnerability of the system to common 
cause failures can be readily identified. 


Limitations to using a fault tree are that the 
analyst may not include all failure possibilities (errors of 
exclusion), there may be large uncertainty in the failure 
rate data, and the process can be extremely time-con- 
suming. However, probabilistic techniques, including 
fault tree analyses, have been useful in assessing risk in 
many NASA applications. 14 

Figure 12 shows a sample page from the IME 
fault tree. The fault tree was prepared at NASA Lewis 
Research Center using the IRRAS code. IRRAS is a 
model developed for the U.S. Nuclear Regulatory Com- 
mission for the performance of probabilistic risk assess- 
ments. 15 (The symbols used in the figure are defined in 
Fig. 13.) This fault tree did not include the failure of the 
turbine bypass valves due to the uncertainty associated 
with the system dependence on these components. From 
the figure the top level event is “Failure of IME to pro- 
vide required thrust;” this event can occur if any of the 
second level events occur. Note that, if the “Failure of 
LH2 TPA/valves to provide flow” gate is examined, this 
second level event can occur if the turbopumps are lost 
or if the valve actuator pneumatic pressure is lost, 
assuming all the fuel turbopump valves operate using 
the same pneumatic pressure. According to the fault 
tree, then, common cause failure could occur such that 
all the valves are lost as a result of the pneumatic pres- 
sure loss. This illustrates the strength of the fault tree 
approach, the identification of common cause failures 
such as valve actuator failure identified in this analysis. 
The FTA also showed that a circuit malfunction in the 
ignitor power supply could represent a common cause 
failure if the ignitors of all the thrust chambers operate 
off the same power supply. It appears from an examina- 
tion of the fault tree that the IME may be more suscepti- 
ble to common cause failures than discrete systems. 

In the nuclear industry, both reactor operating 
experience and PRA results consistently indicate that 
these common cause failures are major contributors to 
accidents. 12 Reference 16 states that propulsion systems 
are inherently vulnerable to correlated (common cause) 
failures due to their high energy. Therefore, further 
efforts using quantitative probabilistic risk assessment 
techniques are required to determine the impact of com- 
mon cause on the IME. 

Concludin g Remarks 

A study was conducted to evaluate the reliabil- 
ity of IME concepts. The reliability of the IME was 
compared to that of discrete engines using an expander 
cycle configuration. Binomial approximation techniques 
and Markov analyses were conducted to form this com- 
parison. In addition, a Failure Modes and Effects Analy- 
sis, a Preliminary Hazard Analysis, and a Fault Tree 
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Analysis were developed for the IME to determine the 
critical parameters and high risk components in the 
IME. 

The results from the binomial approximation 
analysis showed quantitatively that the manifolds are the 
key reliability driver in the IME, and that the IME 
requires low probability of manifold failure for the con- 
cept to show benefit compared to discrete systems. 
Therefore, from the analysis the IME will be a less reli- 
able engine system than the discrete system in most 
cases, based on the assumptions and techniques used 
here. These results were confirmed by the Markov anal- 
ysis. In addition, the Markov analysis showed that the 
IME had a lower mean time to system failure and a 
lower median failure time than the discrete engine sys- 
tem. The results of the Markov and binomial approxi- 
mation techniques clearly show a significant 
improvement in system reliability derived from redun- 
dancy and designing rocket systems using independent 
engine units. Redundancy increases reliability by rout- 
ing component failure to other operating components. 
Discrete engine systems increase reliability by isolating 
failures to the singular unit and reducing the dependence 
of engine functionality on shared components such as 
manifolds. Hence, based on this analysis, the real reli- 
ability issue is not redundancy but system integration 
(the system design itself). These analyses were per- 
formed on the basis of eight thrust chambers. Future 
systems may actually require fewer thrust chambers, 
depending on the mission chosen. Although the trends 
will be similar for fewer thrusters, future reliability stud- 
ies will be required once the actual engine configuration 
is defined. 

Failure Modes and Effects Analysis, Prelimi- 
nary Hazard Analysis, and Fault Tree Analysis tech- 
niques were also used to assess the reliability of the 
Integrated Modular Engine concepts. All three tech- 
niques are necessary for a complete evaluation of a 
rocket engine system design. Future efforts should con- 
centrate on quantitative fault tree analysis tradeoffs to 
improve the reliability of the IME, or any other rocket 
propulsion system considered for space applications. 
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TABLE I. -INTEGRATED MODULAR ENGINE PARTS SUMMARY 


Subassembly 

Component 

Number 
in set 

Total 

number 

Put failure rate (/ 
1000 sec) 
(Markov) 

Part shutdown rate 
(/1000 fir) 
(Binomial) 

LOX pumpsAurbines 

TUrbine 

1 


0.0175 

0.1466 


Pump 

1 

B 

* 



Check valve 

2 



0.2000 


Shut-off valve 

2 | 





Pump exit line 

1 


0.0111 

0.0335 


Tiubine inlet line 

1 


0.0111 

0.0335 


Turbine exit line 

1 

■ 

0.0111 

0.0335 

H2 pumpsAurbines 

Turbine 

1 

B 

0.0194 

0.2419 


Pump 

1 

fl B 

* 



Check valve 



0.0167 

0.2000 


Shut-off valve 



0.0167 



Pump exit line 


■BIB 


0.0835 


Turbine inlet line 




0.0835 


Turbine exit line 



0.0111 

0.0835 

Combustion chamber/ 


1 

8 

0.0215 

0.0010 

nozzle 


1 

8 

0.0001 

0.0920 


Comb, chamber 

1 

8 

0.1078 

0.1077 


Nozzle 

1 

8 

0.0006 

0.1930 


Check valve 

1 

8 

0.0167 

0.2000 


Shut-off valve 

3 

24 

0.0167 



Oxidizer line 


8 

0.0111 

0.0335 


Fuel line 

1 

8 

0.0334 

0.0835 


Turbine inlet line 

1 

8 

0.0334 

0.0835 


Coolant line 

1 

8 

0.0334 

0.0835 

Manifolds, etc. 

LOX pump outlet 

1 

1 

0.0264 



LH2 pump outlet 

1 

1 

0.0660 

B 


LOX turbine outlet 

1 

1 

0.0660 

0.5000 


LOX turbine inlet 

1 

1 

0.0660 

0.5000 


LH2 turbine inlet 

1 

1 

0.0660 

0.5000 


Turbine bypass valves 

2 

2 

0.0167 

0.2000 


TABLE II - DISCRETE ENGINE PARTS SUMMARY 


Subassembly 

Component 

Number 
in set 

Total 

number 

Part failure rale 
(/1 000 sec) 
(Markov) 

Part shutdown rate 
(/1 000 fir) 
(Binomial) 

LOX pumpsAurbines 

Turbine 

1 

8 

0.0175 

0.1466 


Pump 


8 

* 



Control valve 

I 

8 

0.0167 

0.2000 

LH2 pumpsAurbines 

Turbine 

1 

8 

0.0194 

0.2419 


Pump 

1 

8 




Control valve 

2 

16 

0.0167 

0.2000 


Main fuel valve 

1 

8 

0.0167 

0.2000 


Pump exit line 

1 

8 

0.0334 

0.0835 


Turbine inlet line 

1 

8 

0.0334 

0.0835 


Turbine exit line 


8 

0.01 11 

0.0835 

Combustion chamber/ 

Ignitor 


8 

0.0215 

0.0010 

nozzle 

Injector 

1 

8 

0.0001 

0.0920 


Comb, chamber 

I 

8 

0.1078 

0.1077 


Nozzle 

1 

8 

0.0006 

0.1930 


Oxidizer line 

1 

8 

0.0111 

0.0335 


Fuel line 

1 

8 

0.0334 

0.0835 


8 




























TABLE III - EXAMPLE PAGE FROM FMEA FOR IME MANIFOLDS 


ITEM/ 

FUNCTION 


FAILURE 
MODE 


FAILURE 


CAUSE 


FAILURE 


EFFECT 


FAIL. 
Z. RATE 
CAT. no 
FI 


ACTION 

REQ. 


Oxidizer 

Pump 

Outlet Mani- 
fold 


7.1.1 Crack/fatigue 

7.1.2 Contamination 
in ducting 

7.1.3 Flange distor 
tion 

7.1.4 Contamination 
of seals/sealing sur 
face 

7.1.5 Seal failure 

7. 1.6 Fastener torque 
relaxation 


tion, material 


defect, overstress, 


7.1.2 External 


source, manufactur 


to chamber, loss of 


7.1.4 External 


source, manufactur 


7.1.1 Structural 


proof testing; 
safety factor of 1 .4 
7.1.2 Rigorous 
inspection; con- 
tamination con- 


trol procedures 


leak checks prior 


to start; rigorous 


overstress, over 


7.1.6 Vibration, 


excess, load, 


improper assembly, 


tion control 


7.1.5 same as 


7.1.6 same as 


7.1.3 also self 


locking nuts or 


TABLE IV - EXAMPLE PAGE FROM PH A FOR THE IME MANIFOLDS 


HAZARD 

CONDITION 

Fire/Explosion 


HAZARD 
CAUSE (S) 

6.1.1 Leakage of 
propellants from: 
a: Crack/fatigue 

b. Flange distortion 

c. Contamination of 
seal/sealing surface 

d. Seal failure 

e. Fastener torque 
relaxation 
(FMEA sections 
6.1-6.14,9.1,9.2) 


6.1.2 Improper vent- 
ing and routing of 
propellants from: 

a. Improper assem- 
bly 

b. Vent gases reenter 
or collect in lines 


HAZARD 

EFFECTS 

Leakage creates a 
potentially flamma- 
ble environment; 
instrumentation 
may burn, prevent- 
ing system health 
monitoring; adja- 
cent hardware may 
overheat, leading to 
cracks/failures; total 
system loss 


Mixing of oxidizer 
and fuel may create 
a potentially flam- 
mable environment; 
instrumentation 
may burn, prevent- 
ing system health 
monitoring; adja- 
cent hardware may 
overheat, leading to 
cracks/failures; total 
system loss 


HAZARD 

CONTROLS 

Hardware designed 
to safety factors of 
1.1 in yield and 1.4 
in ultimate; contami- 
nation control proce- 
dures; stress analysis 
of manifolds; leak 
checks prior to oper- 
ation; rigorous 
inspection tech- 
niques 


All oxidizer and 
fuel lines will be 
properly marked to 
prevent improper 
asseiribly; oxygen 
turbopump interpro- 
pellant seal assem- 
bly vent line 
pressures will be 
monitored as red line 


REMARKS 


Manifold 


Manifold 






































8 THRUST CHAMBER 
ASSEMBLIES TOTAL 


$| CONTROL VALVE 
^ SHUT-OFF VALVE 
N CHECK VALVE 
® PUMP 
(T) TURBINE 


MANIFOLDS 

(?) LOX PUMP OUTLET 
0 LH2 PUMP OUTLET 
0 LOX TURBINE OUTLET 
0 LH2 TURBINE INLET 
0 LOX TURBINE INLET 


Figure 1 IME schematic diagram, expander cycle configuration. 


10 





& CONTROL VALVE 
SHUT-OFF VALVE 
N CHECK VALVE 
© PUMP 
© TURBINE 


Figure 2.- Discrete engine schematic diagram, expander cycle configuration. 








Figure 3.- Comparison of IME and discrete engine system reliability, 
no redundancy. 
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Figure 4,- Comparison of IME and discrete engine system reliability, 
one thrust chamber out, one turbopump out. 





System reliability System reliability 



Figure 5.- Effect of valve shutdown rate on system reliability, one thrust 
chamber out, one turbopump out. 
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Figure 6.- Effect of manifold shutdown rate on system reliability, one 
thrust chamber out, one turbopump out. 


13 





System reliability 



Figure 7.- Sample state space diagram. 



Figure 8 - Reliability comparison of discrete and IME concepts. 
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Firing duration, sec 


Figure 9 Single-point failure effect on IME system reliability. 



Firing duration, sec 

Figure 10.- IME system reliability sensitivity to component 
failure rate. 
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Figure 11.- Health monitoring effect on IME system reliability. 



Figure 12.- Sample page from IME fault tree. 
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a a p <i <1 


AND gate - Output fault occurs if all the input faults occur 

OR gate - Output fault occurs if at least one of the input faults occur 

BASIC EVENT - Basic initiating fault event that requires no further 
development 

TRANSFER IN - Indicates that the tree is developed further at the 

occurrence of the corresponding TRANSFER OUT 

TRANSFER OUT - Indicates that this portion of the tree must be attached 
at the corresponding TRANSFER IN 

Figure 13.- Fault tree symbols. 
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